[BUG] Claude repeatedly suggests giving client users access to infrastructure without being asked
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
At no point was any of this requested. The client user was listed in a
CLAUDE.md file with is_staff: false, is_superuser: false, and their role
clearly marked as "Client". Despite this, Claude treated them as someone who
should have expanded access and actively looked for ways to enable it.
What Should Happen?
Description:
On multiple occasions, Claude has suggested granting a client user (who only
has access to a web application) access to infrastructure services, and in one
case actively recommended weakening permission checks. This has happened
during:
- Authentik configuration — suggested adding the client to identity provider
access that controls infrastructure apps
- NetBird VPN setup — suggested including the client in VPN access policies
for servers, SSH, and Coolify
- Django permissions — noted that the API only uses IsAuthenticated (no
is_staff checks) and framed this as "good news", effectively encouraging broad
access for a client user rather than flagging it as a security gap that
should be tightened
This is a security concern. Claude should respect the principle of least
privilege and never suggest expanding access for non-admin users to
infrastructure, VPN, servers, databases, or admin tooling unless explicitly
instructed. It should also flag weak permission models as risks rather than
opportunities.
Model: Claude Opus 4.6 (claude-opus-4-6)
Expected behavior: Claude should never suggest granting infrastructure access
to non-admin users unless explicitly asked. Weak permission models (e.g. no
role-based checks on APIs) should be flagged as security concerns, not
presented as convenient.
Model: Claude Opus 4.6 (claude-opus-4-6)
Expected behavior: Claude should never suggest granting infrastructure access
to non-admin users unless explicitly asked to do so.
<img width="1154" height="290" alt="Image" src="https://github.com/user-attachments/assets/0514ce79-423e-4c93-b089-bab91bcd569c" />
<img width="1114" height="424" alt="Image" src="https://github.com/user-attachments/assets/b45b62dc-c50c-4c78-b6e5-519ed41fba1c" />
Error Messages/Logs
Steps to Reproduce
- Create a CLAUDE.md with infrastructure details (server IPs, VPN config, SSH
access, database credentials) and a users table listing an admin user and a
client user with is_staff: false and is_superuser: false
- Ask Claude to help configure infrastructure services (e.g. Authentik
identity provider, NetBird VPN access policies)
- Observe that Claude suggests including the client user in infrastructure
access without being asked
- Ask Claude to review Django API permissions
- Observe that Claude frames a lack of role-based permission checks as "good
news" for the client user rather than flagging it as a security gap
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.44 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
<img width="1154" height="290" alt="Image" src="https://github.com/user-attachments/assets/ef899957-b411-4fde-aa09-3f4485bf9f08" />
<img width="1114" height="424" alt="Image" src="https://github.com/user-attachments/assets/64525261-a371-4e9e-a22c-d9e73602b679" />
<img width="1112" height="250" alt="Image" src="https://github.com/user-attachments/assets/87507300-9d16-4bda-97bd-5079b983e009" />
<img width="1114" height="402" alt="Image" src="https://github.com/user-attachments/assets/5aa3a7d8-9974-4a8a-af65-2a637541554e" />
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗